STATE OF CYBER SECURITY:
RECRUITMENT INDUSTRY
X
/ THIS RESEARCH
Sample: Recruitment agencies from APSCo UK memberships
Published: Recruiter magazine
Sample Size: 584
Conducted: May '22 & July '23
/ READ MORE
Featured in…
Are you an APSCo member?
Your agency was included in this research. You're entitled to review your individual report.
Your report is automated but we will be confirming your employment with the relevant organisation.
đ STOLEN PASSWORDS
Did you know?  Stolen and/or weak passwords account for 81% of hacking-related breaches*.
/ agencies WITH stolen passwords
Employee username and password details become breached when they’re circulating on lists on the Dark Web. They can be used by criminals to gain access to corporate IT systems.
/ VOLUME OF BREACHED PASSWORDS PER agency
The more passwords available, the greater the likelihood of criminal success.
expert
insight
Pete Watson
CEO, Atlas Cloud
âWeâre all bound by the GDPR, which the UK adopted post-Brexit, to protect personal data. Directors often delegate cyber risks yet are the ones answering the ICO if anything ever happens â we need to break this dichotomy.
âSince our study last year, weâve had a real-world reminder of what happens when candidate information unlawfully gets into the wrong hands. Costs spiral the moment you inform affected candidates, as youâre duly bound to do. From direct costs like candidate compensation claims to indirect costs like clients, candidates â eventually â consultants preferring to work with agencies without tainted reputations.â
đŁ phishing protection [new for '23]
/ agencies at risk from phishing
2 in 3 agencies didn’t have phishing protection, the remaining may but we couldn’t validate that.Â
expert insight
âOn the face of it, you think your own employees are smart enough to detect spoofing and therefore write off the need for specialised protection. But youâre devaluing the power of social engineering.
âSure, catch-all attempts will be ignored by your employees but criminals are far more sophisticated these days, especially when they can earn so much. Theyâll typically look to find out key information in advance from other employees, like who the company banks with and what days it makes pay runs. Then use this information in the phishing attempt.
âSo, when you get an email request from the CEO containing information only known internally, you tend not to question it. It costs thousands.â
Pete Watson
CEO, Atlas Cloud
đ» DOMAIN VULNERABILITIES
/ agencies with
DMARC applied
DMARC adoption has jumped up from less than 1 in 4 agencies last year! It stops criminals from hijacking your domain.
/ DOMAIN VULNERABILITIES BY SEVERITY
Domains are used in corporate web and email addresses; vulnerabilities can creep in based on configurations. Issues have decreased significantly since last year!
expert
insight
Pete Watson
CEO, Atlas Cloud
âItâs great to see our research from last year may have been making an impact.
“Directors looking to take a more hands-on approach should start with a simple third-party cyber audit or consider running the agency through the Government-backed Cyber Essentials scheme.â
đ WEBSERVER VULNERABILITIES
/ agencies with webserver vulnerabilities
Webservers govern websites and often process/store candidate CVs, containing valuable personal information.
expert insight
âThese are often simple fixes, like keeping your websiteâs content management system up-to-date.â
âGiven the ease of solution, itâs a risk no agency leader should accept.â
Pete Watson
CEO, Atlas Cloud
âIâm delighted to see our groundbreaking industry research return for a second year running.
"Weâre already seeing positive steps by the industry de-risking, but it doesnât take a cyber expert to realise that more can and should be done.â
VIEW YOUR PERSONALISED REPORT
/ When was the last time you reviewed cyber insights?
4 in 5
…of boards or senior management within UK businesses rate cyber security as a âvery highâ or âfairly highâ priority.
39%
…of UK businesses have identified a cyber-attack within the last 12 months.
Official UK Gov. statistics from the NCSC
APSCO MEMBERS ENTITLED TO REVIEW THEIR CYBER REPORTS
As UK-based APSCo members are included in the study, relevant representatives are entitled to review the results relevant to their organisation for a limited time.
Reports are automated but, due to the nature of the content, we will be validating that requesting individuals are representatives of the organisation they’re wishing to review.Â
FREQUENTLY ASKED QUESTIONS
All of the information we have surfaced is publically available. It’s typically the data criminals will first review before deciding whether to form an attack, so a key first line of defence to get in order.
This is an automated cyber audit that has been compiled by Atlas Cloud to help the recruitment industry learn more about risk.
You are free to use this information however you wish â hopefully, it will inform your Risk Register and help you make more informed decisions about whether your cyber risks need to be addressed.
No matter what solutions you have in place, cyber risks build up over time. The Data Protection Act (2018) states agencies must take reasonable steps to protect any personal data, ensuring security âagainst unlawful or unauthorised accessâ.
If your risks are exploited and candidate information is accessed without authorisation, you face ani nvestigation from the Information Commissionerâs Office (ICO). They can fine up to ÂŁ8.7 million or 2% of turnover, whichever is greater.
Our latest case study summarises the known events from a breach at Acorn Recruitment.
In it, candidate data was stolen and the agency had to deal with compensation claims. We also found law firms offering ‘no win, no fee’ services for the specific event.
The simple answer is this: If you have an IT solution in place, it doesn’t necessarily mean you have your cyber security risks taken care of.
When you buy or implement an IT solution, it should obviously be secure. However, as time passes, security risks creep in that need to be periodically assessed and considered.
© Atlas Cloud Limited 2023, registered number: 07297347
3rd Floor, Maybrook House, 27 Grainger Street, Newcastle upon Tyne, NE1 5JE
